Social Engineering - Employee Vulnerability Assessment

Showing We’re Only Human

It’s unsettling to think that your entire network could be compromised if one of your employees unknowingly clicks the wrong link or lets the wrong person through your door. Our Social Engineering Vulnerability Assessments are designed to lower this risk by identifying weaknesses that could allow attackers to target unsuspecting or uninformed employees. We conduct these tests using the tactics of social engineering, such as deception, manipulation, and intimidation, to see whether we can get the people in your organization to accidentally compromise your information.

Through the Assessment, we will:

Demonstrate how well employees are complying with organizational procedures and processes.

Provide valuable data that can be incorporated into ongoing security awareness programs.

The Tyler Cybersecurity Methodology

We perform our Social Engineering Assessments through face-to-face, voice, email, and web communication. Prior to testing, we may do a footprint analysis to see what kind of company-specific information is publicly available. Such information can help to personalize the Assessment. Tyler Cybersecurity offers several different types of Social Engineering Vulnerability Assessments, including:

Phone Pretexting

With phone pretexting, a Tyler Cybersecurity Social Engineer using a variety of false identities will phone employees to try to gain information and/or execute operating system commands. This Assessment tests identification procedures and confidentiality awareness in your organization.

If trying to gain Customer Information, the Tyler Social Engineer will attempt to do one or more of the following:

The Tyler Cybersecurity Social Engineer will use account information provided by the client in order to verify if identification procedures are being followed correctly. Caller ID will be modified to spoof the caller’s identity and all calls will be recorded for reporting purposes.

If attempting to gain Network Information, the Tyler Cybersecurity Social Engineer will request an employee’s help in troubleshooting a fictitious IT problem. If the Social Engineer is able to enlist the employee’s help, the employee may be asked to execute operating system commands that provide network and infrastructure information, visit a website, or open an email with an attachment. Caller ID will be modified to spoof the caller’s identity and all calls will be recorded for reporting purposes.

Email Phishing

This Social Engineering Assessment will test employees’ knowledge of anti-phishing best practices. We will stage an email phishing attack using up to three themes that imitate the styles of common real-world phishing emails. We will send an email to targeted employees attempting to entice them into browsing to an unknown website and/or open an attachment. The emails, written in HTML, will be designed to identify both user and technical configuration vulnerabilities. We will track any and all user activity back to the specific email address that received the phishing email.

USB Drive Baiting

Our USB Drive Baiting Assessment will test whether employees will plug an unknown USB drive into their workstations and open files stored on the device. For this Assessment, Tyler Cybersecurity will use up to 20 read-only USB drives loaded with generic files that create log entries on a remote Tyler Cybersecurity server when opened. Tyler Cybersecurity remotely tracks how many files are opened in order to provide quantifiable metrics that underscore the potential risk exposure involved.

The USBs can be distributed through any of the following means:

Delivered by mail for you to leave randomly around the office;

Mailed directly to specific employees; or

Left behind in high-volume areas of the building when we do an onsite Assessment.

The files contained on the USB can be customized to contain a message that provides immediate training to employees alerting them of the potential security issues associated with unknown USB devices.

Reports and Recommendations

The Social Engineering Assessment report includes:

An executive report of our findings in PDF.

A corresponding interactive HTML report detailing each of the Assessment categories, including scenario descriptions, applicable findings, and incident detection and response metrics.

Ransomware Survival Guide Download

Blog

Why We’re Vulnerable to Social Engineering Attacks

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

No one is immune to cyber-attacks

Be confident that threats to your network will be detected consistently and accurately with nDiscovery. Our team of cybersecurity experts actively investigates to find threats and are always ready to offer you support and answer your questions.